OpenSSL: Do not require a PIN for PKCS#11

It isn't mandatory. If we need one and it's not present, the ENGINE will try asking for it. Make sure it doesn't actually let an OpenSSL UI loose, since we don't currently capture those. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-18 15:09:55 +00:00 · 2014-12-18 15:09:55 +00:00 · a642a52b17
commit a642a52b17
parent 96955192b3
1 changed files with 12 additions and 8 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -897,12 +897,6 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 		wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
 		return -1;
 	}
-#ifndef ANDROID
-	if (pin == NULL) {
-		wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
-		return -1;
-	}
-#endif

 	ERR_clear_error();
 #ifdef ANDROID
@ -923,16 +917,26 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 	wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");

 #ifndef ANDROID
-	if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
+	if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
 		wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
 			   ERR_error_string(ERR_get_error(), NULL));
 		goto err;
 	}
 #endif
 	if (key_id) {
+		/*
+		 * Ensure that the ENGINE does not attempt to use the OpenSSL
+		 * UI system to obtain a PIN, if we didn't provide one.
+		 */
+		struct {
+			const void *password;
+			const char *prompt_info;
+		} key_cb = { "", NULL };
+
 		/* load private key first in-case PIN is required for cert */
 		conn->private_key = ENGINE_load_private_key(conn->engine,
-							    key_id, NULL, NULL);
+							    key_id, NULL,
+							    &key_cb);
 		if (!conn->private_key) {
 			wpa_printf(MSG_ERROR,
 				   "ENGINE: cannot load private key with id '%s' [%s]",